{
  "cells": [
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "3y8D8k6UPYrq"
      },
      "source": [
        "# GRR Colab"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "MhnEhE_498Zd"
      },
      "outputs": [],
      "source": [
        "%load_ext grr_colab.ipython_extension"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "RmAtn57P98Zg"
      },
      "outputs": [],
      "source": [
        "import grr_colab"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "rWf9o5nl98Zi"
      },
      "source": [
        "Specifying GRR Colab flags:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "-jh2NybI98Zj"
      },
      "outputs": [],
      "source": [
        "grr_colab.flags.FLAGS.set_default('grr_http_api_endpoint', 'http://localhost:8000/')\n",
        "grr_colab.flags.FLAGS.set_default('grr_admin_ui_url', 'http://localhost:8000/')\n",
        "grr_colab.flags.FLAGS.set_default('grr_auth_api_user', 'admin')\n",
        "grr_colab.flags.FLAGS.set_default('grr_auth_password', 'admin')"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "OJaMYRetyoZS"
      },
      "source": [
        "## Magics API"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "SDKewNOmhhDJ"
      },
      "source": [
        "GRR magics allow to search for clients and then to choose a single client to work with. The results of magics are represented as pandas dataframes unless they are primitives."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "oPwJovFiPkkX"
      },
      "source": [
        "### Searching clients"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "lQYg5faIhS98"
      },
      "source": [
        "You can search for clients by specifying username, hostname, client labels etc. The results are sorted by the last seen column."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 216
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 901,
          "status": "ok",
          "timestamp": 1563351594504,
          "user_tz": -120
        },
        "id": "jgzKnDyJRNwj",
        "outputId": "f246ce78-538a-4bcb-c92a-7a560401b3d8"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eonline\u003c/th\u003e\n",
              "      \u003cth\u003eonline.pretty\u003c/th\u003e\n",
              "      \u003cth\u003eclient_id\u003c/th\u003e\n",
              "      \u003cth\u003elast_seen_ago\u003c/th\u003e\n",
              "      \u003cth\u003elast_seen_at.pretty\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003eonline\u003c/td\u003e\n",
              "      \u003ctd\u003e🌕\u003c/td\u003e\n",
              "      \u003ctd\u003eC.dc3782aeab2c5b4c\u003c/td\u003e\n",
              "      \u003ctd\u003e0 seconds ago\u003c/td\u003e\n",
              "      \u003ctd\u003e2019-08-30 09:53:28.039821\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   online online.pretty           client_id  last_seen_ago  \\\n",
              "0  online             🌕  C.dc3782aeab2c5b4c  0 seconds ago   \n",
              "\n",
              "         last_seen_at.pretty  \n",
              "0 2019-08-30 09:53:28.039821  "
            ]
          },
          "execution_count": 65,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "df = %grr_search_clients -u admin\n",
        "df[['online', 'online.pretty', 'client_id', 'last_seen_ago', 'last_seen_at.pretty']]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "81mMQ1oZw4Pq"
      },
      "source": [
        "There is a shortcut for searching for online only clients directly so that you don't need to filter the dataframe."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 168
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 1946,
          "status": "ok",
          "timestamp": 1563984753775,
          "user_tz": -120
        },
        "id": "dlVH_YmwAJYH",
        "outputId": "27595944-0c82-4a93-cfa3-f6bfdc0fb716"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eonline\u003c/th\u003e\n",
              "      \u003cth\u003eonline.pretty\u003c/th\u003e\n",
              "      \u003cth\u003eclient_id\u003c/th\u003e\n",
              "      \u003cth\u003elast_seen_ago\u003c/th\u003e\n",
              "      \u003cth\u003elast_seen_at.pretty\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003eonline\u003c/td\u003e\n",
              "      \u003ctd\u003e🌕\u003c/td\u003e\n",
              "      \u003ctd\u003eC.dc3782aeab2c5b4c\u003c/td\u003e\n",
              "      \u003ctd\u003e0 seconds ago\u003c/td\u003e\n",
              "      \u003ctd\u003e2019-08-30 09:53:38.331647\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   online online.pretty           client_id  last_seen_ago  \\\n",
              "0  online             🌕  C.dc3782aeab2c5b4c  0 seconds ago   \n",
              "\n",
              "         last_seen_at.pretty  \n",
              "0 2019-08-30 09:53:38.331647  "
            ]
          },
          "execution_count": 66,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "df = %grr_search_online_clients -u admin\n",
        "df[['online', 'online.pretty', 'client_id', 'last_seen_ago', 'last_seen_at.pretty']]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "z4SgDQKzAaGC"
      },
      "source": [
        "Every datetime field has two representations: the original one that is microseconds and the pretty one that is pandas timestamp. "
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 80
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 256,
          "status": "ok",
          "timestamp": 1563983824534,
          "user_tz": -120
        },
        "id": "8G5Q5udIASP_",
        "outputId": "c6c088bc-0171-4b3f-e9a9-0d1e820d05d5"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003elast_seen_at\u003c/th\u003e\n",
              "      \u003cth\u003elast_seen_at.pretty\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e1567158818331647\u003c/td\u003e\n",
              "      \u003ctd\u003e2019-08-30 09:53:38.331647\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "       last_seen_at        last_seen_at.pretty\n",
              "0  1567158818331647 2019-08-30 09:53:38.331647"
            ]
          },
          "execution_count": 67,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "df[['last_seen_at', 'last_seen_at.pretty']]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "yM7mCpdARaPb"
      },
      "source": [
        "### Setting current clients"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "5aVFfVSsA-cH"
      },
      "source": [
        "To work with a client you need to select a client first. It means that you are able to work only with a single client simultaneously using magic commands (there is no such restriction for Pyhton API). To set a client you need either a hostname (works in case of one client set up for that hostname) or a client ID which you can get from the search clients dataframe."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 296,
          "status": "ok",
          "timestamp": 1563984754202,
          "user_tz": -120
        },
        "id": "XciCbMseRSXL",
        "outputId": "9639a804-6d28-400b-9219-b1612d46f394"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'C.dc3782aeab2c5b4c'"
            ]
          },
          "execution_count": 68,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client_id = df['client_id'][0]\n",
        "%grr_set_client -c {client_id}\n",
        "\n",
        "%grr_id"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "R_Fweq-uF5zM"
      },
      "source": [
        "An attempt to set a client with a hostname that has multiple clients will lead to an exception."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "zGczuyXNGmVK"
      },
      "source": [
        "### Requesting approvals"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "A6dCjbPFGv-i"
      },
      "source": [
        "If you don't have valid approvals for the selected client, you will get an error while attempting to run a flow on it. You can request an approval with magic commands specifying the reason and list of approvers."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "1lvg4vOaHG8Y"
      },
      "outputs": [],
      "source": [
        "%grr_request_approval -r \"For testing\" -a admin"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "sdO19hBwHZ_Y"
      },
      "source": [
        "This function will not wait until the approval is granted. If you need your code to wait until it's granted, use `grr_request_approval_and_wait` instead."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "xNA5DjocGF70"
      },
      "source": [
        "### Exploring filesystem"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "qZYQPlUWHw1e"
      },
      "source": [
        "In addition to the selected client, working directory is also saved. It means that you can use relative paths instead of absolute. Note that the existence of directories is not checked and you will not get an error if you try to cd into directory that does not exist."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "2JDhzxv2IX_U"
      },
      "source": [
        "Initially you are in the root directory."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 32,
          "status": "ok",
          "timestamp": 1564580365581,
          "user_tz": -120
        },
        "id": "tKbefgf4R9jz",
        "outputId": "9d1fe7b7-d26a-47ca-b3e8-0f8accc906fc"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'/'"
            ]
          },
          "execution_count": 69,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_pwd"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 47,
          "status": "ok",
          "timestamp": 1564580368172,
          "user_tz": -120
        },
        "id": "lv1Ly-16Idnv",
        "outputId": "8bfb676c-f8cf-4929-8a22-9db3f12f8b60"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'/tmp/foo/bar'"
            ]
          },
          "execution_count": 70,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_cd tmp/foo/bar\n",
        "%grr_pwd"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 55,
          "status": "ok",
          "timestamp": 1564580370573,
          "user_tz": -120
        },
        "id": "QamW8iCHInMs",
        "outputId": "505924a2-dc88-4957-a103-35620a8d8e7d"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'/tmp/foo/baz'"
            ]
          },
          "execution_count": 71,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_cd ../baz\n",
        "%grr_pwd"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "arrQ02UhKmlY"
      },
      "source": [
        "You can ls the current directory and any other directories specified by relative and absolute paths."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "4iA1RP9UOvGY"
      },
      "source": [
        "**Note**. The most file-related magics start flows and fetch live data from the client. It means that the client has to be online in order for them to work."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 193
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16697,
          "status": "ok",
          "timestamp": 1563351630457,
          "user_tz": -120
        },
        "id": "DLwaNBDcJ0Iq",
        "outputId": "39d2e72a-fe03-4957-bdc1-a22f2bbcb61d"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003est_mode\u003c/th\u003e\n",
              "      \u003cth\u003est_mode.pretty\u003c/th\u003e\n",
              "      \u003cth\u003est_ino\u003c/th\u003e\n",
              "      \u003cth\u003est_dev\u003c/th\u003e\n",
              "      \u003cth\u003est_nlink\u003c/th\u003e\n",
              "      \u003cth\u003est_uid\u003c/th\u003e\n",
              "      \u003cth\u003est_gid\u003c/th\u003e\n",
              "      \u003cth\u003est_size\u003c/th\u003e\n",
              "      \u003cth\u003est_atime\u003c/th\u003e\n",
              "      \u003cth\u003est_mtime\u003c/th\u003e\n",
              "      \u003cth\u003est_ctime\u003c/th\u003e\n",
              "      \u003cth\u003est_blocks\u003c/th\u003e\n",
              "      \u003cth\u003est_blksize\u003c/th\u003e\n",
              "      \u003cth\u003est_rdev\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_osx\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_linux\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "      \u003ctd\u003e17696532\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e2\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/dir1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "      \u003ctd\u003e17832583\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e3\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157734\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/dir2\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e2\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e17696534\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e70\u003c/td\u003e\n",
              "      \u003ctd\u003e1567158029\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e3\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e17696533\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e23\u003c/td\u003e\n",
              "      \u003ctd\u003e1567158209\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157627\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157627\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   st_mode st_mode.pretty    st_ino  st_dev  st_nlink  st_uid  st_gid  \\\n",
              "0    16877     drwxr-xr-x  17696532   65025         2  585945   89939   \n",
              "1    16877     drwxr-xr-x  17832583   65025         3  585945   89939   \n",
              "2    33188     -rw-r--r--  17696534   65025         1  585945   89939   \n",
              "3    33188     -rw-r--r--  17696533   65025         1  585945   89939   \n",
              "\n",
              "   st_size    st_atime    st_mtime    st_ctime  st_blocks  st_blksize  \\\n",
              "0     4096  1567157599  1567157599  1567157599          8        4096   \n",
              "1     4096  1567157734  1567157599  1567157599          8        4096   \n",
              "2       70  1567158029  1567157649  1567157649          8        4096   \n",
              "3       23  1567158209  1567157627  1567157627          8        4096   \n",
              "\n",
              "   st_rdev pathspec.pathtype       pathspec.path pathspec.path_options  \\\n",
              "0        0                OS   /tmp/foo/baz/dir1          CASE_LITERAL   \n",
              "1        0                OS   /tmp/foo/baz/dir2          CASE_LITERAL   \n",
              "2        0                OS  /tmp/foo/baz/file1          CASE_LITERAL   \n",
              "3        0                OS  /tmp/foo/baz/file2          CASE_LITERAL   \n",
              "\n",
              "   st_flags_osx  st_flags_linux  \n",
              "0             0          524288  \n",
              "1             0          524288  \n",
              "2             0          524288  \n",
              "3             0          524288  "
            ]
          },
          "execution_count": 72,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "df = %grr_ls\n",
        "df"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "huZeYWI0Dy4J"
      },
      "source": [
        "Stat mode has two representations: number and UNIX-style:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "G7PqZ41qDy4K",
        "outputId": "4ac4b6db-8603-4b2a-91e4-5db206747d06"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003est_mode\u003c/th\u003e\n",
              "      \u003cth\u003est_mode.pretty\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e2\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e3\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   st_mode st_mode.pretty\n",
              "0    16877     drwxr-xr-x\n",
              "1    16877     drwxr-xr-x\n",
              "2    33188     -rw-r--r--\n",
              "3    33188     -rw-r--r--"
            ]
          },
          "execution_count": 73,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "df[['st_mode', 'st_mode.pretty']]"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 100
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16403,
          "status": "ok",
          "timestamp": 1563351646920,
          "user_tz": -120
        },
        "id": "mrTFxIkgKPko",
        "outputId": "c671132a-677d-499e-fcc7-ffd65c4bfb22"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003est_mode\u003c/th\u003e\n",
              "      \u003cth\u003est_mode.pretty\u003c/th\u003e\n",
              "      \u003cth\u003est_ino\u003c/th\u003e\n",
              "      \u003cth\u003est_dev\u003c/th\u003e\n",
              "      \u003cth\u003est_nlink\u003c/th\u003e\n",
              "      \u003cth\u003est_uid\u003c/th\u003e\n",
              "      \u003cth\u003est_gid\u003c/th\u003e\n",
              "      \u003cth\u003est_size\u003c/th\u003e\n",
              "      \u003cth\u003est_atime\u003c/th\u003e\n",
              "      \u003cth\u003est_mtime\u003c/th\u003e\n",
              "      \u003cth\u003est_ctime\u003c/th\u003e\n",
              "      \u003cth\u003est_blocks\u003c/th\u003e\n",
              "      \u003cth\u003est_blksize\u003c/th\u003e\n",
              "      \u003cth\u003est_rdev\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_osx\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_linux\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "      \u003ctd\u003e17835392\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e2\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/dir2/dir3\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   st_mode st_mode.pretty    st_ino  st_dev  st_nlink  st_uid  st_gid  \\\n",
              "0    16877     drwxr-xr-x  17835392   65025         2  585945   89939   \n",
              "\n",
              "   st_size    st_atime    st_mtime    st_ctime  st_blocks  st_blksize  \\\n",
              "0     4096  1567157599  1567157599  1567157599          8        4096   \n",
              "\n",
              "   st_rdev pathspec.pathtype           pathspec.path pathspec.path_options  \\\n",
              "0        0                OS  /tmp/foo/baz/dir2/dir3          CASE_LITERAL   \n",
              "\n",
              "   st_flags_osx  st_flags_linux  \n",
              "0             0          524288  "
            ]
          },
          "execution_count": 74,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_ls ../baz/dir2"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 100
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16313,
          "status": "ok",
          "timestamp": 1563351663305,
          "user_tz": -120
        },
        "id": "JSiXH5irKU8A",
        "outputId": "9327a3cd-fc70-4a5f-afb7-e6ea064eede4"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003est_mode\u003c/th\u003e\n",
              "      \u003cth\u003est_mode.pretty\u003c/th\u003e\n",
              "      \u003cth\u003est_ino\u003c/th\u003e\n",
              "      \u003cth\u003est_dev\u003c/th\u003e\n",
              "      \u003cth\u003est_nlink\u003c/th\u003e\n",
              "      \u003cth\u003est_uid\u003c/th\u003e\n",
              "      \u003cth\u003est_gid\u003c/th\u003e\n",
              "      \u003cth\u003est_size\u003c/th\u003e\n",
              "      \u003cth\u003est_atime\u003c/th\u003e\n",
              "      \u003cth\u003est_mtime\u003c/th\u003e\n",
              "      \u003cth\u003est_ctime\u003c/th\u003e\n",
              "      \u003cth\u003est_blocks\u003c/th\u003e\n",
              "      \u003cth\u003est_blksize\u003c/th\u003e\n",
              "      \u003cth\u003est_rdev\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_osx\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_linux\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "      \u003ctd\u003e17567410\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e2\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157544\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157544\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157544\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/bar\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "      \u003ctd\u003e17695802\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157664\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157631\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157631\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   st_mode st_mode.pretty    st_ino  st_dev  st_nlink  st_uid  st_gid  \\\n",
              "0    16877     drwxr-xr-x  17567410   65025         2  585945   89939   \n",
              "1    16877     drwxr-xr-x  17695802   65025         4  585945   89939   \n",
              "\n",
              "   st_size    st_atime    st_mtime    st_ctime  st_blocks  st_blksize  \\\n",
              "0     4096  1567157544  1567157544  1567157544          8        4096   \n",
              "1     4096  1567157664  1567157631  1567157631          8        4096   \n",
              "\n",
              "   st_rdev pathspec.pathtype pathspec.path pathspec.path_options  \\\n",
              "0        0                OS  /tmp/foo/bar          CASE_LITERAL   \n",
              "1        0                OS  /tmp/foo/baz          CASE_LITERAL   \n",
              "\n",
              "   st_flags_osx  st_flags_linux  \n",
              "0             0          524288  \n",
              "1             0          524288  "
            ]
          },
          "execution_count": 75,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_ls /tmp/foo"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "q_DhU34QK_89"
      },
      "source": [
        "To see some metadata of a file you can just call `grr_stat` function."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 100
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16828,
          "status": "ok",
          "timestamp": 1563351680228,
          "user_tz": -120
        },
        "id": "nsdAPE3zMkmR",
        "outputId": "17d9b85f-4af7-4334-f006-844e8c3f4535"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003est_mode\u003c/th\u003e\n",
              "      \u003cth\u003est_mode.pretty\u003c/th\u003e\n",
              "      \u003cth\u003est_ino\u003c/th\u003e\n",
              "      \u003cth\u003est_dev\u003c/th\u003e\n",
              "      \u003cth\u003est_nlink\u003c/th\u003e\n",
              "      \u003cth\u003est_uid\u003c/th\u003e\n",
              "      \u003cth\u003est_gid\u003c/th\u003e\n",
              "      \u003cth\u003est_size\u003c/th\u003e\n",
              "      \u003cth\u003est_atime\u003c/th\u003e\n",
              "      \u003cth\u003est_mtime\u003c/th\u003e\n",
              "      \u003cth\u003est_ctime\u003c/th\u003e\n",
              "      \u003cth\u003est_blocks\u003c/th\u003e\n",
              "      \u003cth\u003est_blksize\u003c/th\u003e\n",
              "      \u003cth\u003est_rdev\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_osx\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_linux\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e17696534\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e70\u003c/td\u003e\n",
              "      \u003ctd\u003e1567158029\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   st_mode st_mode.pretty    st_ino  st_dev  st_nlink  st_uid  st_gid  \\\n",
              "0    33188     -rw-r--r--  17696534   65025         1  585945   89939   \n",
              "\n",
              "   st_size    st_atime    st_mtime    st_ctime  st_blocks  st_blksize  \\\n",
              "0       70  1567158029  1567157649  1567157649          8        4096   \n",
              "\n",
              "   st_rdev pathspec.pathtype       pathspec.path pathspec.path_options  \\\n",
              "0        0                OS  /tmp/foo/baz/file1          CASE_LITERAL   \n",
              "\n",
              "   st_flags_osx  st_flags_linux  \n",
              "0             0          524288  "
            ]
          },
          "execution_count": 76,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_stat file1"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "XXdPcVEgB--K"
      },
      "source": [
        "You can use globbing for stat:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 131
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16416,
          "status": "ok",
          "timestamp": 1563351835244,
          "user_tz": -120
        },
        "id": "BfMe8FgaB2VB",
        "outputId": "0e439540-3c3d-4e29-928e-81b1674b1ee6"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003est_mode\u003c/th\u003e\n",
              "      \u003cth\u003est_mode.pretty\u003c/th\u003e\n",
              "      \u003cth\u003est_ino\u003c/th\u003e\n",
              "      \u003cth\u003est_dev\u003c/th\u003e\n",
              "      \u003cth\u003est_nlink\u003c/th\u003e\n",
              "      \u003cth\u003est_uid\u003c/th\u003e\n",
              "      \u003cth\u003est_gid\u003c/th\u003e\n",
              "      \u003cth\u003est_size\u003c/th\u003e\n",
              "      \u003cth\u003est_atime\u003c/th\u003e\n",
              "      \u003cth\u003est_mtime\u003c/th\u003e\n",
              "      \u003cth\u003est_ctime\u003c/th\u003e\n",
              "      \u003cth\u003est_blocks\u003c/th\u003e\n",
              "      \u003cth\u003est_blksize\u003c/th\u003e\n",
              "      \u003cth\u003est_rdev\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_osx\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_linux\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e17696534\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e70\u003c/td\u003e\n",
              "      \u003ctd\u003e1567158029\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e17696533\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e23\u003c/td\u003e\n",
              "      \u003ctd\u003e1567158209\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157627\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157627\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   st_mode st_mode.pretty    st_ino  st_dev  st_nlink  st_uid  st_gid  \\\n",
              "0    33188     -rw-r--r--  17696534   65025         1  585945   89939   \n",
              "1    33188     -rw-r--r--  17696533   65025         1  585945   89939   \n",
              "\n",
              "   st_size    st_atime    st_mtime    st_ctime  st_blocks  st_blksize  \\\n",
              "0       70  1567158029  1567157649  1567157649          8        4096   \n",
              "1       23  1567158209  1567157627  1567157627          8        4096   \n",
              "\n",
              "   st_rdev pathspec.pathtype       pathspec.path pathspec.path_options  \\\n",
              "0        0                OS  /tmp/foo/baz/file1          CASE_LITERAL   \n",
              "1        0                OS  /tmp/foo/baz/file2          CASE_LITERAL   \n",
              "\n",
              "   st_flags_osx  st_flags_linux  \n",
              "0             0          524288  \n",
              "1             0          524288  "
            ]
          },
          "execution_count": 77,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_stat \"file*\""
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "NP6vR78cNUEX"
      },
      "source": [
        "You can print the first bytes of a file:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16919,
          "status": "ok",
          "timestamp": 1563351697201,
          "user_tz": -120
        },
        "id": "MK4H3nVnOW7e",
        "outputId": "162a0809-e802-47de-96c4-d1877196a666"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "b'This is the first line\\nThis is'"
            ]
          },
          "execution_count": 78,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_head file1 -c 30"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "6KBacz1eQh7e"
      },
      "source": [
        "Alghough there is no offset in original bash `head` command you can specify offset in `grr_head`:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 1046,
          "status": "ok",
          "timestamp": 1564580377770,
          "user_tz": -120
        },
        "id": "1RVp8RGjl-eF",
        "outputId": "1ab6d896-f734-448f-cdbc-63243a31274f"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "b'ne\\nThis is the second line\\nThi'"
            ]
          },
          "execution_count": 79,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_head file1 -c 30 -o 20"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "4eUiJKrGOptM"
      },
      "source": [
        "Some of the functions like `grr_head` and `grr_ls` have `--cached` (`-C` for short) option which indicates that no calls to the client should be performed. In this case the data will be fetched from the cached data on the server. Server cached data is updated only during calls to the client so it is not always up-to-date but accessing it is way faster."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 193
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 591,
          "status": "ok",
          "timestamp": 1563351697868,
          "user_tz": -120
        },
        "id": "JuPSGH57PSEh",
        "outputId": "7f235a49-9a75-4d34-8915-fec3fe083ee9"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003est_mode\u003c/th\u003e\n",
              "      \u003cth\u003est_mode.pretty\u003c/th\u003e\n",
              "      \u003cth\u003est_ino\u003c/th\u003e\n",
              "      \u003cth\u003est_dev\u003c/th\u003e\n",
              "      \u003cth\u003est_nlink\u003c/th\u003e\n",
              "      \u003cth\u003est_uid\u003c/th\u003e\n",
              "      \u003cth\u003est_gid\u003c/th\u003e\n",
              "      \u003cth\u003est_size\u003c/th\u003e\n",
              "      \u003cth\u003est_atime\u003c/th\u003e\n",
              "      \u003cth\u003est_mtime\u003c/th\u003e\n",
              "      \u003cth\u003est_ctime\u003c/th\u003e\n",
              "      \u003cth\u003est_blocks\u003c/th\u003e\n",
              "      \u003cth\u003est_blksize\u003c/th\u003e\n",
              "      \u003cth\u003est_rdev\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_osx\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_linux\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "      \u003ctd\u003e17696532\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e2\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/dir1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "      \u003ctd\u003e17832583\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e3\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157734\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/dir2\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e2\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e17696534\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e70\u003c/td\u003e\n",
              "      \u003ctd\u003e1567158029\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e3\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e17696533\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e23\u003c/td\u003e\n",
              "      \u003ctd\u003e1567158209\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157627\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157627\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   st_mode st_mode.pretty    st_ino  st_dev  st_nlink  st_uid  st_gid  \\\n",
              "0    16877     drwxr-xr-x  17696532   65025         2  585945   89939   \n",
              "1    16877     drwxr-xr-x  17832583   65025         3  585945   89939   \n",
              "2    33188     -rw-r--r--  17696534   65025         1  585945   89939   \n",
              "3    33188     -rw-r--r--  17696533   65025         1  585945   89939   \n",
              "\n",
              "   st_size    st_atime    st_mtime    st_ctime  st_blocks  st_blksize  \\\n",
              "0     4096  1567157599  1567157599  1567157599          8        4096   \n",
              "1     4096  1567157734  1567157599  1567157599          8        4096   \n",
              "2       70  1567158029  1567157649  1567157649          8        4096   \n",
              "3       23  1567158209  1567157627  1567157627          8        4096   \n",
              "\n",
              "   st_rdev pathspec.pathtype       pathspec.path pathspec.path_options  \\\n",
              "0        0                OS   /tmp/foo/baz/dir1          CASE_LITERAL   \n",
              "1        0                OS   /tmp/foo/baz/dir2          CASE_LITERAL   \n",
              "2        0                OS  /tmp/foo/baz/file1          CASE_LITERAL   \n",
              "3        0                OS  /tmp/foo/baz/file2          CASE_LITERAL   \n",
              "\n",
              "   st_flags_osx  st_flags_linux  \n",
              "0             0          524288  \n",
              "1             0          524288  \n",
              "2             0          524288  \n",
              "3             0          524288  "
            ]
          },
          "execution_count": 80,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_ls /tmp/foo/baz -C"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 425,
          "status": "ok",
          "timestamp": 1563351698353,
          "user_tz": -120
        },
        "id": "pltMJ7s0PXpr",
        "outputId": "0c71a0fd-bcc5-4692-9c3e-3a92f45cb60c"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "b'This is the first line\\nThis is the second line\\nThis is the third LINE\\n'"
            ]
          },
          "execution_count": 81,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_head file1 -C"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "OggOgs4jQxVL"
      },
      "source": [
        "Grepping files is also possible. `--fixed-string` (`-F` for short) option indicates that pattern to search for is not a regular expression. `--hex-string` (`-X` for short) option allows to pass hex strings as a pattern."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 142
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16331,
          "status": "ok",
          "timestamp": 1563351714751,
          "user_tz": -120
        },
        "id": "lkKwsfMiRJau",
        "outputId": "bab97cb0-83d8-4f67-d594-185962e868ce"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eoffset\u003c/th\u003e\n",
              "      \u003cth\u003elength\u003c/th\u003e\n",
              "      \u003cth\u003edata\u003c/th\u003e\n",
              "      \u003cth\u003edata.pretty\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e18\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e42\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e2\u003c/th\u003e\n",
              "      \u003ctd\u003e65\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'LINE'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'LINE'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   offset  length     data data.pretty pathspec.pathtype       pathspec.path  \\\n",
              "0      18       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "1      42       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "2      65       4  b'LINE'     b'LINE'                OS  /tmp/foo/baz/file1   \n",
              "\n",
              "  pathspec.path_options  \n",
              "0          CASE_LITERAL  \n",
              "1          CASE_LITERAL  \n",
              "2          CASE_LITERAL  "
            ]
          },
          "execution_count": 82,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_grep \"line\" file1"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 111
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16618,
          "status": "ok",
          "timestamp": 1563351731436,
          "user_tz": -120
        },
        "id": "My9QheBUBYJD",
        "outputId": "fe4170a1-6172-4b8f-d45e-1a29d4e55d25"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eoffset\u003c/th\u003e\n",
              "      \u003cth\u003elength\u003c/th\u003e\n",
              "      \u003cth\u003edata\u003c/th\u003e\n",
              "      \u003cth\u003edata.pretty\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e18\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e42\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   offset  length     data data.pretty pathspec.pathtype       pathspec.path  \\\n",
              "0      18       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "1      42       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "\n",
              "  pathspec.path_options  \n",
              "0          CASE_LITERAL  \n",
              "1          CASE_LITERAL  "
            ]
          },
          "execution_count": 83,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_grep -F \"line\" file1"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "0x0y4Bt398ar",
        "outputId": "6009bdd3-fbe1-4330-9747-e4654f1c17eb"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eoffset\u003c/th\u003e\n",
              "      \u003cth\u003elength\u003c/th\u003e\n",
              "      \u003cth\u003edata\u003c/th\u003e\n",
              "      \u003cth\u003edata.pretty\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e18\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e42\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e2\u003c/th\u003e\n",
              "      \u003ctd\u003e65\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'LINE'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'LINE'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   offset  length     data data.pretty pathspec.pathtype       pathspec.path  \\\n",
              "0      18       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "1      42       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "2      65       4  b'LINE'     b'LINE'                OS  /tmp/foo/baz/file1   \n",
              "\n",
              "  pathspec.path_options  \n",
              "0          CASE_LITERAL  \n",
              "1          CASE_LITERAL  \n",
              "2          CASE_LITERAL  "
            ]
          },
          "execution_count": 84,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_grep -X \"6c696e65\" file1"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "qR5t9eP7BfOK"
      },
      "source": [
        "There is a shortcut for `--fixed-strings` option. Globbing is also available here."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 32
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16254,
          "status": "ok",
          "timestamp": 1563984785932,
          "user_tz": -120
        },
        "id": "Sil8JPOdBoxy",
        "outputId": "db962b0c-f5d9-493e-b24e-dff3b9c39ef5"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eoffset\u003c/th\u003e\n",
              "      \u003cth\u003elength\u003c/th\u003e\n",
              "      \u003cth\u003edata\u003c/th\u003e\n",
              "      \u003cth\u003edata.pretty\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e18\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e42\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e2\u003c/th\u003e\n",
              "      \u003ctd\u003e18\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   offset  length     data data.pretty pathspec.pathtype       pathspec.path  \\\n",
              "0      18       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "1      42       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "2      18       4  b'line'     b'line'                OS  /tmp/foo/baz/file2   \n",
              "\n",
              "  pathspec.path_options  \n",
              "0          CASE_LITERAL  \n",
              "1          CASE_LITERAL  \n",
              "2          CASE_LITERAL  "
            ]
          },
          "execution_count": 85,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_fgrep \"line\" \"file*\""
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "IfBBFAS098aw",
        "outputId": "9b3ffb9c-0c2f-4ffe-b5a2-11bf94d668aa"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eoffset\u003c/th\u003e\n",
              "      \u003cth\u003elength\u003c/th\u003e\n",
              "      \u003cth\u003edata\u003c/th\u003e\n",
              "      \u003cth\u003edata.pretty\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e18\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e42\u003c/td\u003e\n",
              "      \u003ctd\u003e4\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eb'line'\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   offset  length     data data.pretty pathspec.pathtype       pathspec.path  \\\n",
              "0      18       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "1      42       4  b'line'     b'line'                OS  /tmp/foo/baz/file1   \n",
              "\n",
              "  pathspec.path_options  \n",
              "0          CASE_LITERAL  \n",
              "1          CASE_LITERAL  "
            ]
          },
          "execution_count": 86,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_fgrep -X \"6c696e65\" file1"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "0r9nn9cxQ9qk"
      },
      "source": [
        "If the file is too large and you'd like to download it then use `wget`:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 690,
          "status": "ok",
          "timestamp": 1564580549980,
          "user_tz": -120
        },
        "id": "NIhjTNMds4pP",
        "outputId": "71dcc604-065f-4274-c0af-b547b1c5394b"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'http://localhost:8000//api/clients/C.dc3782aeab2c5b4c/vfs-blob/fs/os/tmp/foo/baz/file1'"
            ]
          },
          "execution_count": 87,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_wget file1"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "NWELaMAwROtT"
      },
      "source": [
        "You can also download a cached version:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 275,
          "status": "ok",
          "timestamp": 1564580590883,
          "user_tz": -120
        },
        "id": "5P-uy2IARMDK",
        "outputId": "829b6530-d9c3-4bc9-d567-ea70e5371b77"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'http://localhost:8000//api/clients/C.dc3782aeab2c5b4c/vfs-blob/fs/os/tmp/foo/baz/file1'"
            ]
          },
          "execution_count": 88,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_wget file1 -C"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "NYOgdzRuDy45"
      },
      "source": [
        "You can specify path type with `--path-type` flag (`-P` for short) for all filesystem related magics. The available values are `os` (default), `tsk`, `registry`."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "D8kDlt0xDy45",
        "outputId": "c8b67594-bc1c-45d9-ddf0-c02c337eb6e4"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003est_mode\u003c/th\u003e\n",
              "      \u003cth\u003est_mode.pretty\u003c/th\u003e\n",
              "      \u003cth\u003est_ino\u003c/th\u003e\n",
              "      \u003cth\u003est_dev\u003c/th\u003e\n",
              "      \u003cth\u003est_nlink\u003c/th\u003e\n",
              "      \u003cth\u003est_uid\u003c/th\u003e\n",
              "      \u003cth\u003est_gid\u003c/th\u003e\n",
              "      \u003cth\u003est_size\u003c/th\u003e\n",
              "      \u003cth\u003est_atime\u003c/th\u003e\n",
              "      \u003cth\u003est_mtime\u003c/th\u003e\n",
              "      \u003cth\u003est_ctime\u003c/th\u003e\n",
              "      \u003cth\u003est_blocks\u003c/th\u003e\n",
              "      \u003cth\u003est_blksize\u003c/th\u003e\n",
              "      \u003cth\u003est_rdev\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_osx\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_linux\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "      \u003ctd\u003e17696532\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e2\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/dir1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e16877\u003c/td\u003e\n",
              "      \u003ctd\u003edrwxr-xr-x\u003c/td\u003e\n",
              "      \u003ctd\u003e17832583\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e3\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157734\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157599\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/dir2\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e2\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e17696534\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e70\u003c/td\u003e\n",
              "      \u003ctd\u003e1567158029\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157649\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file1\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e3\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e17696533\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e585945\u003c/td\u003e\n",
              "      \u003ctd\u003e89939\u003c/td\u003e\n",
              "      \u003ctd\u003e23\u003c/td\u003e\n",
              "      \u003ctd\u003e1567158209\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157627\u003c/td\u003e\n",
              "      \u003ctd\u003e1567157627\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/tmp/foo/baz/file2\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   st_mode st_mode.pretty    st_ino  st_dev  st_nlink  st_uid  st_gid  \\\n",
              "0    16877     drwxr-xr-x  17696532   65025         2  585945   89939   \n",
              "1    16877     drwxr-xr-x  17832583   65025         3  585945   89939   \n",
              "2    33188     -rw-r--r--  17696534   65025         1  585945   89939   \n",
              "3    33188     -rw-r--r--  17696533   65025         1  585945   89939   \n",
              "\n",
              "   st_size    st_atime    st_mtime    st_ctime  st_blocks  st_blksize  \\\n",
              "0     4096  1567157599  1567157599  1567157599          8        4096   \n",
              "1     4096  1567157734  1567157599  1567157599          8        4096   \n",
              "2       70  1567158029  1567157649  1567157649          8        4096   \n",
              "3       23  1567158209  1567157627  1567157627          8        4096   \n",
              "\n",
              "   st_rdev pathspec.pathtype       pathspec.path pathspec.path_options  \\\n",
              "0        0                OS   /tmp/foo/baz/dir1          CASE_LITERAL   \n",
              "1        0                OS   /tmp/foo/baz/dir2          CASE_LITERAL   \n",
              "2        0                OS  /tmp/foo/baz/file1          CASE_LITERAL   \n",
              "3        0                OS  /tmp/foo/baz/file2          CASE_LITERAL   \n",
              "\n",
              "   st_flags_osx  st_flags_linux  \n",
              "0             0          524288  \n",
              "1             0          524288  \n",
              "2             0          524288  \n",
              "3             0          524288  "
            ]
          },
          "execution_count": 89,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_ls -P os -C"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "czHvTr5SGVrD"
      },
      "source": [
        "### System information"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "JsZY4a0iDJaW"
      },
      "source": [
        "Names of the functions are the same as in bash for simplicity."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "Iwk1_PKZDZSF"
      },
      "source": [
        "Printing hostname of the client:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "WnZUZlF2CdIh"
      },
      "outputs": [],
      "source": [
        "%grr_hostname"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "SlHDujKvDdvH"
      },
      "source": [
        "Getting network interfaces info:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "mNuaPAXkCkrG"
      },
      "outputs": [],
      "source": [
        "ifaces = %grr_ifconfig "
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "WjfszQz5CzY5"
      },
      "source": [
        "For mac address fields there are also two columns: one with the original bytes type but not representable and pretty one with string representation of mac address."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 111
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 53,
          "status": "ok",
          "timestamp": 1563441679247,
          "user_tz": -120
        },
        "id": "W0kCtinHCi1v",
        "outputId": "14c96b09-6964-46cc-c4ee-5882002fbd52"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003emac_address\u003c/th\u003e\n",
              "      \u003cth\u003emac_address.pretty\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003eb'\\x00\\x00\\x00\\x00\\x00\\x00'\u003c/td\u003e\n",
              "      \u003ctd\u003e00:00:00:00:00:00\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "                   mac_address mac_address.pretty\n",
              "1  b'\\x00\\x00\\x00\\x00\\x00\\x00'  00:00:00:00:00:00"
            ]
          },
          "execution_count": 91,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "ifaces[['mac_address', 'mac_address.pretty']][1:]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "QPVhNz-3Drul"
      },
      "source": [
        "If a field contains a collection then the cell in the dataframe is represented as another dataframe. IP adress fields also have two representations."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 142
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 35,
          "status": "ok",
          "timestamp": 1563444452885,
          "user_tz": -120
        },
        "id": "efpRK-m8Dlyl",
        "outputId": "c0105d07-0c24-4857-ad00-7020b0f8b086"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eaddress_type\u003c/th\u003e\n",
              "      \u003cth\u003epacked_bytes\u003c/th\u003e\n",
              "      \u003cth\u003epacked_bytes.pretty\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003eINET\u003c/td\u003e\n",
              "      \u003ctd\u003eb'\\x7f\\x00\\x00\\x01'\u003c/td\u003e\n",
              "      \u003ctd\u003e127.0.0.1\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003eINET6\u003c/td\u003e\n",
              "      \u003ctd\u003eb'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00...\u003c/td\u003e\n",
              "      \u003ctd\u003e::1\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "  address_type                                       packed_bytes  \\\n",
              "0         INET                                b'\\x7f\\x00\\x00\\x01'   \n",
              "1        INET6  b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00...   \n",
              "\n",
              "  packed_bytes.pretty  \n",
              "0           127.0.0.1  \n",
              "1                 ::1  "
            ]
          },
          "execution_count": 92,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "ifaces['addresses'][1]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "Q-FNhF5rEWC7"
      },
      "source": [
        "For `uname` command only two options are available: `--machine` that prints the machine architecture and `--kernel-release`."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 221,
          "status": "ok",
          "timestamp": 1563352562153,
          "user_tz": -120
        },
        "id": "Hmj3MJw-EqZa",
        "outputId": "1f0e9f91-c8e6-4be9-fbfc-65767df4434e"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'x86_64'"
            ]
          },
          "execution_count": 93,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_uname -m"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 25,
          "status": "ok",
          "timestamp": 1563352563896,
          "user_tz": -120
        },
        "id": "jSrY9XYGEsoi",
        "outputId": "f1e160ff-3807-4f56-e3fa-31af25ea9936"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'4.19.37-5rodete4-amd64'"
            ]
          },
          "execution_count": 94,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_uname -r"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "q5p55987E2-p"
      },
      "source": [
        "To get the client summary you can simply call interrogate flow. "
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 117
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 31886,
          "status": "ok",
          "timestamp": 1563352720794,
          "user_tz": -120
        },
        "id": "zeFrHVBLE-G5",
        "outputId": "665311dd-5ac0-40fe-8a91-dcd1d3cdeeba"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eclient_id\u003c/th\u003e\n",
              "      \u003cth\u003esystem_info.system\u003c/th\u003e\n",
              "      \u003cth\u003esystem_info.machine\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003eaff4:/C.dc3782aeab2c5b4c\u003c/td\u003e\n",
              "      \u003ctd\u003eLinux\u003c/td\u003e\n",
              "      \u003ctd\u003ex86_64\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "                  client_id system_info.system system_info.machine\n",
              "0  aff4:/C.dc3782aeab2c5b4c              Linux              x86_64"
            ]
          },
          "execution_count": 97,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "df = %grr_interrogate\n",
        "df[['client_id', 'system_info.system', 'system_info.machine']]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "lPq0waOUFFsK"
      },
      "source": [
        "There is also possible to get info about processes that are running on client machine:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 241
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 22535,
          "status": "ok",
          "timestamp": 1563352905917,
          "user_tz": -120
        },
        "id": "yhcCXQ4LFFBp",
        "outputId": "a12b523c-0e5c-40af-8dca-78b925cf4151"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003epid\u003c/th\u003e\n",
              "      \u003cth\u003eppid\u003c/th\u003e\n",
              "      \u003cth\u003ename\u003c/th\u003e\n",
              "      \u003cth\u003eexe\u003c/th\u003e\n",
              "      \u003cth\u003ecmdline\u003c/th\u003e\n",
              "      \u003cth\u003ectime\u003c/th\u003e\n",
              "      \u003cth\u003ereal_uid\u003c/th\u003e\n",
              "      \u003cth\u003eeffective_uid\u003c/th\u003e\n",
              "      \u003cth\u003esaved_uid\u003c/th\u003e\n",
              "      \u003cth\u003ereal_gid\u003c/th\u003e\n",
              "      \u003cth\u003e...\u003c/th\u003e\n",
              "      \u003cth\u003estatus\u003c/th\u003e\n",
              "      \u003cth\u003enice\u003c/th\u003e\n",
              "      \u003cth\u003ecwd\u003c/th\u003e\n",
              "      \u003cth\u003enum_threads\u003c/th\u003e\n",
              "      \u003cth\u003euser_cpu_time\u003c/th\u003e\n",
              "      \u003cth\u003esystem_cpu_time\u003c/th\u003e\n",
              "      \u003cth\u003eRSS_size\u003c/th\u003e\n",
              "      \u003cth\u003eVMS_size\u003c/th\u003e\n",
              "      \u003cth\u003ememory_percent\u003c/th\u003e\n",
              "      \u003cth\u003econnections\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003esystemd\u003c/td\u003e\n",
              "      \u003ctd\u003e/usr/lib/systemd/systemd\u003c/td\u003e\n",
              "      \u003ctd\u003e0\n",
              "0  /lib/systemd/system...\u003c/td\u003e\n",
              "      \u003ctd\u003e1565017014530000\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e...\u003c/td\u003e\n",
              "      \u003ctd\u003esleeping\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e/\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e78.779999\u003c/td\u003e\n",
              "      \u003ctd\u003e53.02000\u003c/td\u003e\n",
              "      \u003ctd\u003e9670656\u003c/td\u003e\n",
              "      \u003ctd\u003e230248448\u003c/td\u003e\n",
              "      \u003ctd\u003e0.014377\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e520\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003elvmetad\u003c/td\u003e\n",
              "      \u003ctd\u003e/usr/sbin/lvmetad\u003c/td\u003e\n",
              "      \u003ctd\u003e0\n",
              "0  /sbin/lvmetad\n",
              "1           ...\u003c/td\u003e\n",
              "      \u003ctd\u003e1565017041170000\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e...\u003c/td\u003e\n",
              "      \u003ctd\u003esleeping\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e/\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e0.050000\u003c/td\u003e\n",
              "      \u003ctd\u003e0.05000\u003c/td\u003e\n",
              "      \u003ctd\u003e1937408\u003c/td\u003e\n",
              "      \u003ctd\u003e108138496\u003c/td\u003e\n",
              "      \u003ctd\u003e0.002880\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e2\u003c/th\u003e\n",
              "      \u003ctd\u003e759\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003erpc.svcgssd\u003c/td\u003e\n",
              "      \u003ctd\u003e/usr/sbin/rpc.svcgssd\u003c/td\u003e\n",
              "      \u003ctd\u003e0\n",
              "0  /usr/sbin/rpc.svcgssd\u003c/td\u003e\n",
              "      \u003ctd\u003e1565017041590000\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e...\u003c/td\u003e\n",
              "      \u003ctd\u003esleeping\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e/\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e0.000000\u003c/td\u003e\n",
              "      \u003ctd\u003e0.00000\u003c/td\u003e\n",
              "      \u003ctd\u003e3215360\u003c/td\u003e\n",
              "      \u003ctd\u003e31694848\u003c/td\u003e\n",
              "      \u003ctd\u003e0.004780\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e3\u003c/th\u003e\n",
              "      \u003ctd\u003e760\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003erpc.gssd\u003c/td\u003e\n",
              "      \u003ctd\u003e/usr/sbin/rpc.gssd\u003c/td\u003e\n",
              "      \u003ctd\u003e0\n",
              "0  /usr/sbin/rpc.gssd\n",
              "1 ...\u003c/td\u003e\n",
              "      \u003ctd\u003e1565017041600000\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e...\u003c/td\u003e\n",
              "      \u003ctd\u003esleeping\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e/run/rpc_pipefs\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e0.000000\u003c/td\u003e\n",
              "      \u003ctd\u003e0.00000\u003c/td\u003e\n",
              "      \u003ctd\u003e299008\u003c/td\u003e\n",
              "      \u003ctd\u003e27766784\u003c/td\u003e\n",
              "      \u003ctd\u003e0.000445\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e4\u003c/th\u003e\n",
              "      \u003ctd\u003e848\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003emgagentxp_script_runner.par\u003c/td\u003e\n",
              "      \u003ctd\u003e/usr/bin/mgagentxp_script_runner.par\u003c/td\u003e\n",
              "      \u003ctd\u003e...\u003c/td\u003e\n",
              "      \u003ctd\u003e1565017042310000\u003c/td\u003e\n",
              "      \u003ctd\u003e65534\u003c/td\u003e\n",
              "      \u003ctd\u003e65534\u003c/td\u003e\n",
              "      \u003ctd\u003e65534\u003c/td\u003e\n",
              "      \u003ctd\u003e1001\u003c/td\u003e\n",
              "      \u003ctd\u003e...\u003c/td\u003e\n",
              "      \u003ctd\u003esleeping\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e/\u003c/td\u003e\n",
              "      \u003ctd\u003e5\u003c/td\u003e\n",
              "      \u003ctd\u003e424.779999\u003c/td\u003e\n",
              "      \u003ctd\u003e490.51001\u003c/td\u003e\n",
              "      \u003ctd\u003e25403392\u003c/td\u003e\n",
              "      \u003ctd\u003e1131827200\u003c/td\u003e\n",
              "      \u003ctd\u003e0.037767\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003cp\u003e5 rows × 24 columns\u003c/p\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   pid  ppid                         name  \\\n",
              "0    1     0                      systemd   \n",
              "1  520     1                      lvmetad   \n",
              "2  759     1                  rpc.svcgssd   \n",
              "3  760     1                     rpc.gssd   \n",
              "4  848     1  mgagentxp_script_runner.par   \n",
              "\n",
              "                                    exe  \\\n",
              "0              /usr/lib/systemd/systemd   \n",
              "1                     /usr/sbin/lvmetad   \n",
              "2                 /usr/sbin/rpc.svcgssd   \n",
              "3                    /usr/sbin/rpc.gssd   \n",
              "4  /usr/bin/mgagentxp_script_runner.par   \n",
              "\n",
              "                                             cmdline             ctime  \\\n",
              "0                        0\n",
              "0  /lib/systemd/system...  1565017014530000   \n",
              "1                 0\n",
              "0  /sbin/lvmetad\n",
              "1           ...  1565017041170000   \n",
              "2                         0\n",
              "0  /usr/sbin/rpc.svcgssd  1565017041590000   \n",
              "3                      0\n",
              "0  /usr/sbin/rpc.gssd\n",
              "1 ...  1565017041600000   \n",
              "4                                                ...  1565017042310000   \n",
              "\n",
              "   real_uid  effective_uid  saved_uid  real_gid  ...    status  nice  \\\n",
              "0         0              0          0         0  ...  sleeping     0   \n",
              "1         0              0          0         0  ...  sleeping     0   \n",
              "2         0              0          0         0  ...  sleeping     0   \n",
              "3         0              0          0         0  ...  sleeping     0   \n",
              "4     65534          65534      65534      1001  ...  sleeping     0   \n",
              "\n",
              "               cwd num_threads user_cpu_time  system_cpu_time  RSS_size  \\\n",
              "0                /           1     78.779999         53.02000   9670656   \n",
              "1                /           1      0.050000          0.05000   1937408   \n",
              "2                /           1      0.000000          0.00000   3215360   \n",
              "3  /run/rpc_pipefs           1      0.000000          0.00000    299008   \n",
              "4                /           5    424.779999        490.51001  25403392   \n",
              "\n",
              "     VMS_size  memory_percent  connections  \n",
              "0   230248448        0.014377          NaN  \n",
              "1   108138496        0.002880          NaN  \n",
              "2    31694848        0.004780          NaN  \n",
              "3    27766784        0.000445          NaN  \n",
              "4  1131827200        0.037767          NaN  \n",
              "\n",
              "[5 rows x 24 columns]"
            ]
          },
          "execution_count": 98,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "ps = %grr_ps\n",
        "ps[:5]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "2U7Riu4HFnWA"
      },
      "source": [
        "To fetch some system information you can also use osquery. Osquery tables are also converted to dataframes."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 328
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16312,
          "status": "ok",
          "timestamp": 1564582660644,
          "user_tz": -120
        },
        "id": "yNyEQf2tGGNQ",
        "outputId": "59f9f7f5-8cb6-4b45-e158-01c7a93a3c7a"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003ecmdline\u003c/th\u003e\n",
              "      \u003cth\u003ename\u003c/th\u003e\n",
              "      \u003cth\u003enice\u003c/th\u003e\n",
              "      \u003cth\u003epid\u003c/th\u003e\n",
              "      \u003cth\u003estate\u003c/th\u003e\n",
              "      \u003cth\u003ethreads\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e\u003c/td\u003e\n",
              "      \u003ctd\u003ekworker/4:1H-kblockd\u003c/td\u003e\n",
              "      \u003ctd\u003e-20\u003c/td\u003e\n",
              "      \u003ctd\u003e500\u003c/td\u003e\n",
              "      \u003ctd\u003eI\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003e\u003c/td\u003e\n",
              "      \u003ctd\u003erpciod\u003c/td\u003e\n",
              "      \u003ctd\u003e-20\u003c/td\u003e\n",
              "      \u003ctd\u003e505\u003c/td\u003e\n",
              "      \u003ctd\u003eI\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e2\u003c/th\u003e\n",
              "      \u003ctd\u003e\u003c/td\u003e\n",
              "      \u003ctd\u003exprtiod\u003c/td\u003e\n",
              "      \u003ctd\u003e-20\u003c/td\u003e\n",
              "      \u003ctd\u003e506\u003c/td\u003e\n",
              "      \u003ctd\u003eI\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e3\u003c/th\u003e\n",
              "      \u003ctd\u003e/sbin/lvmetad -f\u003c/td\u003e\n",
              "      \u003ctd\u003elvmetad\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e520\u003c/td\u003e\n",
              "      \u003ctd\u003eS\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "            cmdline                  name nice  pid state threads\n",
              "0                    kworker/4:1H-kblockd  -20  500     I       1\n",
              "1                                  rpciod  -20  505     I       1\n",
              "2                                 xprtiod  -20  506     I       1\n",
              "3  /sbin/lvmetad -f               lvmetad    0  520     S       1"
            ]
          },
          "execution_count": 99,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_osqueryi \"SELECT pid, name, cmdline, state, nice, threads FROM processes WHERE pid \u003e= 440 and pid \u003c 600;\""
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "jL65ahsiRdc9"
      },
      "source": [
        "Running YARA for scanning processes is also available."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 1000
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 104847,
          "status": "ok",
          "timestamp": 1563543214543,
          "user_tz": -120
        },
        "id": "lOO65oYzbWmU",
        "outputId": "ad583f42-fc6d-414b-9fb5-894ae1ea69c4"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eprocess.pid\u003c/th\u003e\n",
              "      \u003cth\u003eprocess.name\u003c/th\u003e\n",
              "      \u003cth\u003eprocess.exe\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e63438\u003c/td\u003e\n",
              "      \u003ctd\u003epython3\u003c/td\u003e\n",
              "      \u003ctd\u003e/opt/python/3.7/bin/python3.7\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   process.pid process.name                    process.exe\n",
              "0        63438      python3  /opt/python/3.7/bin/python3.7"
            ]
          },
          "execution_count": 100,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "import os \n",
        "\n",
        "pid = os.getpid()\n",
        "data = \"dadasdasdasdjaskdakdaskdakjdkjadkjakjjdsgkngksfkjadsjnfandankjd\"\n",
        "rule = 'rule TextExample {{ strings: $text_string = \"{data}\" condition: $text_string }}'.format(data=data)\n",
        "\n",
        "df = %grr_yara '{rule}' -p {pid}\n",
        "df[['process.pid', 'process.name', 'process.exe']]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "AtfQUmUzGZez"
      },
      "source": [
        "### Configuring flow timeout"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "Fsd4AG0kG8A8"
      },
      "source": [
        "The default flow timeout is 30 seconds. It's time the function waits for a flow to complete. You can configure this timeout with `grr_set_flow_timeout` specifying number of seconds to wait. For examples, this will set the timeout to a minute:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "ZNVey7oXH68q"
      },
      "outputs": [],
      "source": [
        "%grr_set_flow_timeout 60"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "6KVqqAIHHVzz"
      },
      "source": [
        "To tell functions to wait for the flows forever until they are completed:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "RmvydfP5Hn8R"
      },
      "outputs": [],
      "source": [
        "%grr_set_no_flow_timeout"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "WOMMlijizLEJ"
      },
      "source": [
        "To set timeout to default value of 30 seconds:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "X7wcgFgpzSyq"
      },
      "outputs": [],
      "source": [
        "%grr_set_default_flow_timeout"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "d0_E6iUtHqQa"
      },
      "source": [
        "Setting timeout to 0 tells functions not to wait at all and exit immediately after the flow starts."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "Km8PM9DxIK9J"
      },
      "outputs": [],
      "source": [
        "%grr_set_flow_timeout 0"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "FazHWCkwIM7J"
      },
      "source": [
        "In case timeout is exceeded (or you set 0 timeout) you will se such error with a link to Admin UI."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "AalfPJo3B-ef"
      },
      "source": [
        "### Collecting artifacts"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "GN_k0LguRqGo"
      },
      "source": [
        "You can first list all the artifacts that you can collect:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 1000
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 33511,
          "status": "ok",
          "timestamp": 1563956618090,
          "user_tz": -120
        },
        "id": "TpeV7QkNiRQ-",
        "outputId": "50b08306-a991-4bc6-9d81-0d578d0fb5a6"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003eartifact.name\u003c/th\u003e\n",
              "      \u003cth\u003eartifact.doc\u003c/th\u003e\n",
              "      \u003cth\u003eartifact.supported_os\u003c/th\u003e\n",
              "      \u003cth\u003eartifact.labels\u003c/th\u003e\n",
              "      \u003cth\u003eartifact.urls\u003c/th\u003e\n",
              "      \u003cth\u003eartifact.sources\u003c/th\u003e\n",
              "      \u003cth\u003eis_custom\u003c/th\u003e\n",
              "      \u003cth\u003eerror_message\u003c/th\u003e\n",
              "      \u003cth\u003edependencies\u003c/th\u003e\n",
              "      \u003cth\u003eartifact.provides\u003c/th\u003e\n",
              "      \u003cth\u003epath_dependencies\u003c/th\u003e\n",
              "      \u003cth\u003eprocessors\u003c/th\u003e\n",
              "      \u003cth\u003eartifact.conditions\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003eAPTSources\u003c/td\u003e\n",
              "      \u003ctd\u003eAPT package sources list\u003c/td\u003e\n",
              "      \u003ctd\u003e0\n",
              "0  Linux\u003c/td\u003e\n",
              "      \u003ctd\u003e0\n",
              "0  Configuration Files\n",
              "...\u003c/td\u003e\n",
              "      \u003ctd\u003e...\u003c/td\u003e\n",
              "      \u003ctd\u003etype                                     at...\u003c/td\u003e\n",
              "      \u003ctd\u003eFalse\u003c/td\u003e\n",
              "      \u003ctd\u003e\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e1\u003c/th\u003e\n",
              "      \u003ctd\u003eAPTTrustKeys\u003c/td\u003e\n",
              "      \u003ctd\u003eAPT trusted keys\u003c/td\u003e\n",
              "      \u003ctd\u003e0\n",
              "0  Linux\u003c/td\u003e\n",
              "      \u003ctd\u003e0\n",
              "0  Configuration Files\n",
              "...\u003c/td\u003e\n",
              "      \u003ctd\u003e0\n",
              "0  https:...\u003c/td\u003e\n",
              "      \u003ctd\u003etype                                     at...\u003c/td\u003e\n",
              "      \u003ctd\u003eFalse\u003c/td\u003e\n",
              "      \u003ctd\u003e\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "      \u003ctd\u003eNaN\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "  artifact.name              artifact.doc artifact.supported_os  \\\n",
              "0    APTSources  APT package sources list            0\n",
              "0  Linux   \n",
              "1  APTTrustKeys          APT trusted keys            0\n",
              "0  Linux   \n",
              "\n",
              "                                     artifact.labels  \\\n",
              "0                       0\n",
              "0  Configuration Files\n",
              "...   \n",
              "1                       0\n",
              "0  Configuration Files\n",
              "...   \n",
              "\n",
              "                                       artifact.urls  \\\n",
              "0                                                ...   \n",
              "1                                     0\n",
              "0  https:...   \n",
              "\n",
              "                                    artifact.sources  is_custom error_message  \\\n",
              "0     type                                     at...      False                 \n",
              "1     type                                     at...      False                 \n",
              "\n",
              "  dependencies artifact.provides path_dependencies processors  \\\n",
              "0          NaN               NaN               NaN        NaN   \n",
              "1          NaN               NaN               NaN        NaN   \n",
              "\n",
              "  artifact.conditions  \n",
              "0                 NaN  \n",
              "1                 NaN  "
            ]
          },
          "execution_count": 101,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "df = %grr_list_artifacts\n",
        "df[:2]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "zbJDFj_zCBUW"
      },
      "source": [
        "To collect an artifact you just need to provide its name:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 100
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 18412,
          "status": "ok",
          "timestamp": 1563452500762,
          "user_tz": -120
        },
        "id": "1lG6LFGmBykZ",
        "outputId": "501a8ccb-3a97-482f-bc35-dd0d08cbe8ef"
      },
      "outputs": [
        {
          "data": {
            "text/html": [
              "\u003cdiv\u003e\n",
              "\u003cstyle scoped\u003e\n",
              "    .dataframe tbody tr th:only-of-type {\n",
              "        vertical-align: middle;\n",
              "    }\n",
              "\n",
              "    .dataframe tbody tr th {\n",
              "        vertical-align: top;\n",
              "    }\n",
              "\n",
              "    .dataframe thead th {\n",
              "        text-align: right;\n",
              "    }\n",
              "\u003c/style\u003e\n",
              "\u003ctable border=\"1\" class=\"dataframe\"\u003e\n",
              "  \u003cthead\u003e\n",
              "    \u003ctr style=\"text-align: right;\"\u003e\n",
              "      \u003cth\u003e\u003c/th\u003e\n",
              "      \u003cth\u003est_mode\u003c/th\u003e\n",
              "      \u003cth\u003est_mode.pretty\u003c/th\u003e\n",
              "      \u003cth\u003est_ino\u003c/th\u003e\n",
              "      \u003cth\u003est_dev\u003c/th\u003e\n",
              "      \u003cth\u003est_nlink\u003c/th\u003e\n",
              "      \u003cth\u003est_uid\u003c/th\u003e\n",
              "      \u003cth\u003est_gid\u003c/th\u003e\n",
              "      \u003cth\u003est_size\u003c/th\u003e\n",
              "      \u003cth\u003est_atime\u003c/th\u003e\n",
              "      \u003cth\u003est_mtime\u003c/th\u003e\n",
              "      \u003cth\u003est_ctime\u003c/th\u003e\n",
              "      \u003cth\u003est_blocks\u003c/th\u003e\n",
              "      \u003cth\u003est_blksize\u003c/th\u003e\n",
              "      \u003cth\u003est_rdev\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.pathtype\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path\u003c/th\u003e\n",
              "      \u003cth\u003epathspec.path_options\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_osx\u003c/th\u003e\n",
              "      \u003cth\u003est_flags_linux\u003c/th\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/thead\u003e\n",
              "  \u003ctbody\u003e\n",
              "    \u003ctr\u003e\n",
              "      \u003cth\u003e0\u003c/th\u003e\n",
              "      \u003ctd\u003e33188\u003c/td\u003e\n",
              "      \u003ctd\u003e-rw-r--r--\u003c/td\u003e\n",
              "      \u003ctd\u003e10094787\u003c/td\u003e\n",
              "      \u003ctd\u003e65025\u003c/td\u003e\n",
              "      \u003ctd\u003e1\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e7\u003c/td\u003e\n",
              "      \u003ctd\u003e1567107891\u003c/td\u003e\n",
              "      \u003ctd\u003e1559242439\u003c/td\u003e\n",
              "      \u003ctd\u003e1559242439\u003c/td\u003e\n",
              "      \u003ctd\u003e8\u003c/td\u003e\n",
              "      \u003ctd\u003e4096\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003eOS\u003c/td\u003e\n",
              "      \u003ctd\u003e/etc/debian_version\u003c/td\u003e\n",
              "      \u003ctd\u003eCASE_LITERAL\u003c/td\u003e\n",
              "      \u003ctd\u003e0\u003c/td\u003e\n",
              "      \u003ctd\u003e524288\u003c/td\u003e\n",
              "    \u003c/tr\u003e\n",
              "  \u003c/tbody\u003e\n",
              "\u003c/table\u003e\n",
              "\u003c/div\u003e"
            ],
            "text/plain": [
              "   st_mode st_mode.pretty    st_ino  st_dev  st_nlink  st_uid  st_gid  \\\n",
              "0    33188     -rw-r--r--  10094787   65025         1       0       0   \n",
              "\n",
              "   st_size    st_atime    st_mtime    st_ctime  st_blocks  st_blksize  \\\n",
              "0        7  1567107891  1559242439  1559242439          8        4096   \n",
              "\n",
              "   st_rdev pathspec.pathtype        pathspec.path pathspec.path_options  \\\n",
              "0        0                OS  /etc/debian_version          CASE_LITERAL   \n",
              "\n",
              "   st_flags_osx  st_flags_linux  \n",
              "0             0          524288  "
            ]
          },
          "execution_count": 102,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "%grr_collect \"DebianVersion\""
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "0FUF1BS3Ppc3"
      },
      "source": [
        "## Python API"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "tZxaN9N6UVBB"
      },
      "source": [
        "### Getting a client"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "UQTvcGcCR3be"
      },
      "source": [
        "Using Python API you can work with multiple clients simultaneously. You don't need to select a client to work with, instead you simply get a client object."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "lAJq-J6gTH3M"
      },
      "source": [
        "Use `search` method to search for clients. You can specify `ip`, `mac`, `host`, `version`, `user`, and `labels` search criteria. As a result you will get a list of client objects so that you can pick one of them to work with."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 620,
          "status": "ok",
          "timestamp": 1563356576380,
          "user_tz": -120
        },
        "id": "INyXrM3wSi32",
        "outputId": "74e78b51-3c46-47f6-e7e4-dbd252bf64b8"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "🌕 C.dc3782aeab2c5b4c @ admin.example.com (0 seconds ago)\n"
            ]
          },
          "execution_count": 103,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "clients = grr_colab.Client.search(user='admin')\n",
        "clients"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "PMIje4W4Dy5t",
        "outputId": "f93856ed-be9d-49f3-f0ce-7b03df02fd8b"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'C.dc3782aeab2c5b4c'"
            ]
          },
          "execution_count": 104,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "clients[0].id"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "UR074CCKTurM"
      },
      "source": [
        "If you know a client ID or a hostname (in case there is one client installed for this hostname) you can get a client object using one of these values:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "oBz7EKBbUERS"
      },
      "outputs": [],
      "source": [
        "client = grr_colab.Client.with_id('C.dc3782aeab2c5b4c')"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "GgNPa8zrUX5y"
      },
      "source": [
        "### Client properties"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "Wwq0GnL8UhpZ"
      },
      "source": [
        "There is a bunch of simple client properties to get some info about the client. Unlike magic API this API returns objects but not dataframes for non-primitive values."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "ra5NHgoGVqce"
      },
      "source": [
        "Getting the client ID:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 217,
          "status": "ok",
          "timestamp": 1563356841291,
          "user_tz": -120
        },
        "id": "q1QE6IASUZ0r",
        "outputId": "bd94c35f-8b99-496a-9f1b-00efb9c304aa"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'C.dc3782aeab2c5b4c'"
            ]
          },
          "execution_count": 106,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.id"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "YBUB2Bn8Vsty"
      },
      "source": [
        "Getting the client hostname:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "ctITVSuqVFK3"
      },
      "outputs": [],
      "source": [
        "client.hostname"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "hTVNy_S9Vwku"
      },
      "source": [
        "Getting network interfaces info:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 408
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 33,
          "status": "ok",
          "timestamp": 1563356862288,
          "user_tz": -120
        },
        "id": "dOx5QunTVIAo",
        "outputId": "233e1b70-de45-469a-b915-62092ebe1ddf"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "lo (MAC: 00:00:00:00:00:00):\n",
              "    inet 127.0.0.1\n",
              "    inet6 ::1\n"
            ]
          },
          "execution_count": 107,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.ifaces[1:]"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "VigPSVFqDy56",
        "outputId": "ee349d0c-321c-4212-92e1-d3b9200eceb3"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'lo'"
            ]
          },
          "execution_count": 108,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.ifaces[1].ifname"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "MN1zFXBvV8n9"
      },
      "source": [
        "This is a collection of interface objects so you can iterate over it and access interface object fields:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 51
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 234,
          "status": "ok",
          "timestamp": 1563357064241,
          "user_tz": -120
        },
        "id": "FYAMPSyIV0C4",
        "outputId": "324b08df-f6d2-486a-ff77-01ec205cb249"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "enp0s31f6\n",
            "lo\n"
          ]
        }
      ],
      "source": [
        "for iface in client.ifaces:\n",
        "  print(iface.ifname)"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "vkUrPv2YWqz0"
      },
      "source": [
        "Getting the knowledge base for the client:"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "rlgz-w8EWg_M"
      },
      "source": [
        "You can also access its fields:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 234,
          "status": "ok",
          "timestamp": 1563357188321,
          "user_tz": -120
        },
        "id": "jHNACm1lWHTs",
        "outputId": "46b6ee43-d591-455d-d497-e882edca55c9"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'Debian GNU/Linux'"
            ]
          },
          "execution_count": 110,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.knowledgebase\n",
        "client.knowledgebase.os_release"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "qthHpFbGW1cq"
      },
      "source": [
        "Getting an architecture of a machine that client runs on:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 213,
          "status": "ok",
          "timestamp": 1563356907396,
          "user_tz": -120
        },
        "id": "lmBZpKH-VSZ2",
        "outputId": "72d89df9-71cd-4208-9777-d5ede70ec9cf"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'x86_64'"
            ]
          },
          "execution_count": 111,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.arch"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "_tXx5na7W8gy"
      },
      "source": [
        "Getting kernel version string: "
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 54,
          "status": "ok",
          "timestamp": 1563356919015,
          "user_tz": -120
        },
        "id": "dU2CEbVcVU6f",
        "outputId": "61944428-0746-4f3a-c934-6b0f9aff295c"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'4.19.37-5rodete4-amd64'"
            ]
          },
          "execution_count": 112,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.kernel"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "_0h8UfD1XCkc"
      },
      "source": [
        "Getting a list of labels that are associated with this client:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 36,
          "status": "ok",
          "timestamp": 1563356930860,
          "user_tz": -120
        },
        "id": "HrqjDLM4VYAL",
        "outputId": "595d0e5f-a856-4208-eb4e-780145e4eece"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "[]"
            ]
          },
          "execution_count": 113,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.labels"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "a98GE9WeXI-D"
      },
      "source": [
        "First seen and last seen times are saved as datetime objets:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 29,
          "status": "ok",
          "timestamp": 1563356947421,
          "user_tz": -120
        },
        "id": "vh6jxsIHVcRP",
        "outputId": "76c53d58-8016-4841-f1da-bb868748a3dc"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "datetime.datetime(2019, 8, 15, 11, 34, 17, 656692)"
            ]
          },
          "execution_count": 114,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.first_seen"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 28,
          "status": "ok",
          "timestamp": 1563356958670,
          "user_tz": -120
        },
        "id": "PMC3gVbwVfe2",
        "outputId": "d7661278-23e1-4d34-c4d0-87606c9e4c50"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "datetime.datetime(2019, 8, 30, 10, 5, 49, 102492)"
            ]
          },
          "execution_count": 115,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.last_seen"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "JLzwWPePXZBS"
      },
      "source": [
        "### Requesting approvals"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "5-cnTvfWXgmX"
      },
      "source": [
        "As in magics API here you also need to request an approval before running flows on a client. To do this simply call `request_approval` method providing a reason for the approval and list of approvers."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "nHLtlu7PX1CD",
        "scrolled": true
      },
      "outputs": [],
      "source": [
        "client.request_approval(approvers=['admin'], reason='Test reason')"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "2ykwCkRjX9ZJ"
      },
      "source": [
        "This method does not wait until the approval is granted. If you need to wait, use `request_approval_and_wait` method that has the same signature."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "Ti7tTi8IYJ-_"
      },
      "source": [
        "### Running flows"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "wb6n7X3oYdL3"
      },
      "source": [
        "To set the flow timeout use `set_flow_timeout` function. 30 seconds is the default value. 0 means exit immediately after the flow started. You can also reset timeout and set it to a default value of 30 seconds."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "c8-ofGIRYzkH"
      },
      "outputs": [],
      "source": [
        "# Wait forever\n",
        "grr_colab.set_no_flow_timeout()\n",
        "\n",
        "# Exit immediately\n",
        "grr_colab.set_flow_timeout(0)\n",
        "\n",
        "# Wait for one minute\n",
        "grr_colab.set_flow_timeout(60)\n",
        "\n",
        "#Wait for 30 seconds\n",
        "grr_colab.set_default_flow_timeout()"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "XKajEW473B_z"
      },
      "source": [
        "Below are examples of flows that you can run."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "oX2zBLSS2o6A"
      },
      "source": [
        "Interrogating a client:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 952
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 31837,
          "status": "ok",
          "timestamp": 1563358052784,
          "user_tz": -120
        },
        "id": "G1SUGwIfZC0T",
        "outputId": "37b3cab8-3014-4c87-d8bb-3d58de97f20f"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'Linux'"
            ]
          },
          "execution_count": 116,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "summary = client.interrogate()\n",
        "summary.system_info.system"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "fAy4VPjE27zB"
      },
      "source": [
        "Listing processes on a client:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 442
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16644,
          "status": "ok",
          "timestamp": 1563357975113,
          "user_tz": -120
        },
        "id": "NDJSC-E6ZJJI",
        "outputId": "71c09e77-0f6f-4339-dceb-f17c8fff8709"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "   PID USER       NI  VIRT   RES S CPU% MEM% Command\n",
              "     1 root        0  220M    9M S  0.0  0.0 /usr/lib/systemd/systemd\n"
            ]
          },
          "execution_count": 120,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "ps = client.ps()\n",
        "ps[:1]"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 252,
          "status": "ok",
          "timestamp": 1563358081333,
          "user_tz": -120
        },
        "id": "Ar5LbaiTZqSf",
        "outputId": "2a5a9616-0bf2-493a-efb7-d600c87234bc"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "     1 root        0  220M    9M S  0.0  0.0 /usr/lib/systemd/systemd"
            ]
          },
          "execution_count": 118,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "ps[0]"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "HK2YtZSgDy6a",
        "outputId": "08b89532-6b63-424e-e7fb-46d6027f0390"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'/usr/lib/systemd/systemd'"
            ]
          },
          "execution_count": 119,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "ps[0].exe"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "OHQ49Ydu3Kfo"
      },
      "source": [
        "Listing files in a directory. Here you need to provide the absolute path to the directory because there is no state."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 85
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16571,
          "status": "ok",
          "timestamp": 1563358160271,
          "user_tz": -120
        },
        "id": "pwV4LY3YZMnJ",
        "outputId": "813cddcd-bab4-4553-adcd-88184515bcfb"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo/baz\n",
              "    📂 dir1 (drwxr-xr-x /tmp/foo/baz/dir1, 4.0 KiB)\n",
              "    📂 dir2 (drwxr-xr-x /tmp/foo/baz/dir2, 4.0 KiB)\n",
              "    📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n",
              "    📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n"
            ]
          },
          "execution_count": 121,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "files = client.ls('/tmp/foo/baz')\n",
        "files"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "Dkl-_mFMDy6i",
        "outputId": "c9840a09-4df5-4801-8ee4-4f1d0ba7996b"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "/tmp/foo/baz/dir1\n",
            "/tmp/foo/baz/dir2\n",
            "/tmp/foo/baz/file1\n",
            "/tmp/foo/baz/file2\n"
          ]
        }
      ],
      "source": [
        "for f in files:\n",
        "  print(f.pathspec.path)"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "2frjg9N73UUD"
      },
      "source": [
        "Recursive listing of a directory is also possible. To do this specify the max depth of the recursion."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 102
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16436,
          "status": "ok",
          "timestamp": 1563358181522,
          "user_tz": -120
        },
        "id": "G59cw2SaaDsA",
        "outputId": "d9bed6bd-c156-4144-a893-6c230799c172"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo\n",
              "    📂 bar (drwxr-xr-x /tmp/foo/bar, 4.0 KiB)\n",
              "    📂 baz (drwxr-xr-x /tmp/foo/baz, 4.0 KiB)\n",
              "        📂 dir1 (drwxr-xr-x /tmp/foo/baz/dir1, 4.0 KiB)\n",
              "        📂 dir2 (drwxr-xr-x /tmp/foo/baz/dir2, 4.0 KiB)\n",
              "            📂 dir3 (drwxr-xr-x /tmp/foo/baz/dir2/dir3, 4.0 KiB)\n",
              "        📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n",
              "        📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n"
            ]
          },
          "execution_count": 125,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "files = client.ls('/tmp/foo', max_depth=3)\n",
        "files"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "gRx6MkL2Dy6o",
        "outputId": "52a15c47-b534-4581-b80c-1feeef35f4eb"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "/tmp/foo/bar\n",
            "/tmp/foo/baz\n",
            "/tmp/foo/baz/dir1\n",
            "/tmp/foo/baz/dir2\n",
            "/tmp/foo/baz/file1\n",
            "/tmp/foo/baz/file2\n",
            "/tmp/foo/baz/dir2/dir3\n"
          ]
        }
      ],
      "source": [
        "for f in files:\n",
        "  print(f.pathspec.path)"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "DcUbrQ4w3g9y"
      },
      "source": [
        "Globbing files:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 51
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16575,
          "status": "ok",
          "timestamp": 1563358222405,
          "user_tz": -120
        },
        "id": "4UicyWmjaOAk",
        "outputId": "e778d8c2-9c30-4d7d-be9b-8fc1d958d196"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo/baz\n",
              "    📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n",
              "    📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n"
            ]
          },
          "execution_count": 127,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "files = client.glob('/tmp/foo/baz/file*')\n",
        "files"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "ExX3Ov9N3m3I"
      },
      "source": [
        "Grepping files with regular expressions:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 85
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16351,
          "status": "ok",
          "timestamp": 1563358382713,
          "user_tz": -120
        },
        "id": "tAua-e_tacHx",
        "outputId": "3b5fb133-e180-4dad-ca3a-1fb73d58ce85"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo/baz/file1:18-22: b'line'\n",
              "/tmp/foo/baz/file1:42-46: b'line'\n",
              "/tmp/foo/baz/file1:65-69: b'LINE'\n",
              "/tmp/foo/baz/file2:18-22: b'line'\n"
            ]
          },
          "execution_count": 128,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "matches = client.grep(path='/tmp/foo/baz/file*', pattern=b'line')\n",
        "matches"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "NJANTWu4Dy6u",
        "outputId": "76c6b4fd-b8f4-4811-fe3d-32d3952ec580"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "/tmp/foo/baz/file1 18 b'line'\n",
            "/tmp/foo/baz/file1 42 b'line'\n",
            "/tmp/foo/baz/file1 65 b'LINE'\n",
            "/tmp/foo/baz/file2 18 b'line'\n"
          ]
        }
      ],
      "source": [
        "for match in matches:\n",
        "  print(match.pathspec.path, match.offset, match.data)"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "5yCGdGnZ98cc",
        "outputId": "7a763eb2-49a8-42e6-f0d2-c69f551484a5"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo/baz/file1:18-22: b'line'\n",
              "/tmp/foo/baz/file1:42-46: b'line'\n",
              "/tmp/foo/baz/file1:65-69: b'LINE'\n",
              "/tmp/foo/baz/file2:18-22: b'line'\n"
            ]
          },
          "execution_count": 130,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "matches = client.grep(path='/tmp/foo/baz/file*', pattern=b'\\x6c\\x69\\x6e\\x65')\n",
        "matches"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "TZoM_ZNx3so6"
      },
      "source": [
        "Grepping files by exact match:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 68
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16559,
          "status": "ok",
          "timestamp": 1563358405056,
          "user_tz": -120
        },
        "id": "NNGjua_Ka543",
        "outputId": "dde49bcf-e072-4af8-a79e-7438d58e7555"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo/baz/file1:18-22: b'line'\n",
              "/tmp/foo/baz/file1:42-46: b'line'\n",
              "/tmp/foo/baz/file2:18-22: b'line'\n"
            ]
          },
          "execution_count": 131,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "matches = client.fgrep(path='/tmp/foo/baz/file*', literal=b'line')\n",
        "matches"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "H60dvwkjXe6r"
      },
      "source": [
        "Downloading files:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 284,
          "status": "ok",
          "timestamp": 1564582209938,
          "user_tz": -120
        },
        "id": "xWv7F8b-Xbzz",
        "outputId": "98f1315b-0f1f-49d2-cbcb-2d4e3e3e9916"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'http://localhost:8000//api/clients/C.dc3782aeab2c5b4c/vfs-blob/fs/os/tmp/foo/baz/file1'"
            ]
          },
          "execution_count": 132,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.wget('/tmp/foo/baz/file1')"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "IZIu38l13wUx"
      },
      "source": [
        "Osquerying a client:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 119
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16466,
          "status": "ok",
          "timestamp": 1563368233299,
          "user_tz": -120
        },
        "id": "JCoU2YTnvpUc",
        "outputId": "7f7cb21c-a3e2-40f1-8868-ed3916fc514f"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "         name nice pid\n",
              "0     systemd    0   1\n",
              "1    kthreadd    0   2\n",
              "2      rcu_gp  -20   3\n",
              "3  rcu_par_gp  -20   4"
            ]
          },
          "execution_count": 133,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "table = client.osquery('SELECT pid, name, nice FROM processes WHERE pid \u003c 5')\n",
        "table"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "tXKsEr76Dy62",
        "outputId": "1e32ca68-ef3f-42b7-e4a5-cef3f37bd57d"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "      name       nice        pid\n",
            "--------------------------------\n",
            "   systemd          0          1\n",
            "  kthreadd          0          2\n",
            "    rcu_gp        -20          3\n",
            "rcu_par_gp        -20          4\n"
          ]
        }
      ],
      "source": [
        "header = ' '.join(str(col.name).rjust(10) for col in table.header.columns)\n",
        "print(header)\n",
        "print('-' * len(header))\n",
        "for row in table.rows:\n",
        "  print(' '.join(map(lambda _: _.rjust(10), row.values)))"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "EFHaqizjDy63"
      },
      "source": [
        "Listing artifacts:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 527
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 9287,
          "status": "ok",
          "timestamp": 1564580841033,
          "user_tz": -120
        },
        "id": "2KDileozYb1O",
        "outputId": "3da7ecbe-0385-4def-e35f-a338f018f40e"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "artifact {\n",
              "  name: \"APTSources\"\n",
              "  doc: \"APT package sources list\"\n",
              "  labels: \"Configuration Files\"\n",
              "  labels: \"System\"\n",
              "  supported_os: \"Linux\"\n",
              "  urls: \"http://manpages.ubuntu.com/manpages/trusty/en/man5/sources.list.5.html\"\n",
              "  sources {\n",
              "    type: FILE\n",
              "    attributes {\n",
              "      dat {\n",
              "        k {\n",
              "          string: \"paths\"\n",
              "        }\n",
              "        v {\n",
              "          list {\n",
              "            content {\n",
              "              string: \"/etc/apt/sources.list\"\n",
              "            }\n",
              "            content {\n",
              "              string: \"/etc/apt/sources.list.d/*.list\"\n",
              "            }\n",
              "          }\n",
              "        }\n",
              "      }\n",
              "    }\n",
              "  }\n",
              "}\n",
              "is_custom: false\n",
              "error_message: \"\""
            ]
          },
          "execution_count": 135,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "artifacts = grr_colab.list_artifacts()\n",
        "artifacts[0]"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "MCJoqe-E30Vl"
      },
      "source": [
        "To collect an artifact you just need to provide its name:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 357
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16302,
          "status": "ok",
          "timestamp": 1563365626678,
          "user_tz": -120
        },
        "id": "tMh1H5M6yJdo",
        "outputId": "cb6771af-94dd-49c0-b911-638c8e0751c9"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "[📄 debian_version (-rw-r--r-- /etc/debian_version, 7 Bytes)]"
            ]
          },
          "execution_count": 136,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.collect('DebianVersion')"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "adbukHZFUOmJ"
      },
      "source": [
        "Running YARA:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 428
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 108368,
          "status": "ok",
          "timestamp": 1564581866783,
          "user_tz": -120
        },
        "id": "Jl_2cg4cCNUk",
        "outputId": "400c013f-838a-4e99-8e67-4fa887e18f74"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "63438 python3\n"
          ]
        }
      ],
      "source": [
        "import os \n",
        "\n",
        "pid = os.getpid()\n",
        "data = \"dadasdasdasdjaskdakdaskdakjdkjadkjakjjdsgkngksfkjadsjnfandankjd\"\n",
        "rule = 'rule TextExample {{ strings: $text_string = \"{data}\" condition: $text_string }}'.format(data=data)\n",
        "\n",
        "matches = client.yara(rule, pids=[pid])\n",
        "print(matches[0].process.pid, matches[0].process.name)"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "taRBdrE22kWA"
      },
      "source": [
        "### Working with files"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "Tn4htZOW4Rhq"
      },
      "source": [
        "You can read ans seek files interacting with them like fith usual python files."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 51
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16589,
          "status": "ok",
          "timestamp": 1563366486663,
          "user_tz": -120
        },
        "id": "Zfx83xG25e3T",
        "outputId": "98f4d556-6118-4fd2-e39b-f2ddd1ca0e9f"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "b'This is the first line\\n'\n"
          ]
        }
      ],
      "source": [
        "with client.open('/tmp/foo/baz/file1') as f:\n",
        "  print(f.readline())"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 119
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 16371,
          "status": "ok",
          "timestamp": 1563366503147,
          "user_tz": -120
        },
        "id": "bihgVIh85qMA",
        "outputId": "0488de5f-a7b8-41b2-f553-fc7f82b1105e"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "b'This is the first line\\n'\n",
            "b'This is the second line\\n'\n",
            "b'This is the third LINE\\n'\n"
          ]
        }
      ],
      "source": [
        "with client.open('/tmp/foo/baz/file1') as f:\n",
        "  for line in f:\n",
        "    print(line)"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 119
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 425,
          "status": "ok",
          "timestamp": 1564582106587,
          "user_tz": -120
        },
        "id": "UTi6l-Mc51LR",
        "outputId": "076d95d4-4073-4c0d-821a-d23f4f858bb0"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "b'This is the first line'\n",
            "b'This is the first line'\n",
            "b'\\nThis is the second line\\nThis is the third LINE\\n'\n"
          ]
        }
      ],
      "source": [
        "with client.open('/tmp/foo/baz/file1') as f:\n",
        "  print(f.read(22))\n",
        "  f.seek(0)\n",
        "  print(f.read(22))\n",
        "  print(f.read())"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "KC_6MOF235UG"
      },
      "source": [
        "### Cached data"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "Huy_FSnI6QOH"
      },
      "source": [
        "To fetch server cached data use `cached` property of a client object."
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "lBvLrG_T6YXr"
      },
      "source": [
        "You can list files in directory (recursively also) and read and dowload files as above:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 85
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 777,
          "status": "ok",
          "timestamp": 1563366889118,
          "user_tz": -120
        },
        "id": "PFdhZ8TA7HUW",
        "outputId": "75c2aa98-3e28-4440-85d8-1725b5bc7aaf"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo/baz\n",
              "    📂 dir1 (drwxr-xr-x /tmp/foo/baz/dir1, 4.0 KiB)\n",
              "    📂 dir2 (drwxr-xr-x /tmp/foo/baz/dir2, 4.0 KiB)\n",
              "    📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n",
              "    📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n"
            ]
          },
          "execution_count": 143,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "files = client.cached.ls('/tmp/foo/baz')\n",
        "files"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 102
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 1693,
          "status": "ok",
          "timestamp": 1563366892304,
          "user_tz": -120
        },
        "id": "J-BueDOJ7N8D",
        "outputId": "1c40cc1d-140f-423b-bea2-9a97644ea864"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo/baz\n",
              "    📂 dir1 (drwxr-xr-x /tmp/foo/baz/dir1, 4.0 KiB)\n",
              "    📂 dir2 (drwxr-xr-x /tmp/foo/baz/dir2, 4.0 KiB)\n",
              "        📂 dir3 (drwxr-xr-x /tmp/foo/baz/dir2/dir3, 4.0 KiB)\n",
              "    📄 file1 (-rw-r--r-- /tmp/foo/baz/file1, 70 Bytes)\n",
              "    📄 file2 (-rw-r--r-- /tmp/foo/baz/file2, 23 Bytes)\n"
            ]
          },
          "execution_count": 144,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "files = client.cached.ls('/tmp/foo/baz', max_depth=2)\n",
        "files"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 119
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 463,
          "status": "ok",
          "timestamp": 1563366897538,
          "user_tz": -120
        },
        "id": "jgDgLoTp7XjK",
        "outputId": "3b9e7ce6-be3d-4a41-8a3d-3b5793a34a3c"
      },
      "outputs": [
        {
          "name": "stdout",
          "output_type": "stream",
          "text": [
            "b'This is the first line\\n'\n",
            "b'This is the second line\\n'\n",
            "b'This is the third LINE\\n'\n"
          ]
        }
      ],
      "source": [
        "with client.cached.open('/tmp/foo/baz/file1') as f:\n",
        "  for line in f:\n",
        "    print(line)"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {
          "height": 34
        },
        "colab_type": "code",
        "executionInfo": {
          "elapsed": 553,
          "status": "ok",
          "timestamp": 1564582151558,
          "user_tz": -120
        },
        "id": "r38OpE5yXJyj",
        "outputId": "0351711c-86bf-4dd8-b487-c5844a373e38"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "'http://localhost:8000//api/clients/C.dc3782aeab2c5b4c/vfs-blob/fs/os/tmp/foo/baz/file1'"
            ]
          },
          "execution_count": 146,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.cached.wget('/tmp/foo/baz/file1')"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "oNcKjnfU7c2G"
      },
      "source": [
        "You can also refresh filesystem metadata that is cached on the server by calling `refresh` method (that will refresh the contents of the directory and not its subdirectories):"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "NexQ7-Zr7wYd"
      },
      "outputs": [],
      "source": [
        "client.cached.refresh('/tmp/foo/baz')"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "r-X01rJk8A0c"
      },
      "source": [
        "To refresh a  directory recursively specify `max_depth` parameter:"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "jOTJy6AR8AjG"
      },
      "outputs": [],
      "source": [
        "client.cached.refresh('/tmp/foo/baz', max_depth=2)"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "by_SZCm498c6"
      },
      "outputs": [],
      "source": [
        "### Path types"
      ]
    },
    {
      "cell_type": "markdown",
      "metadata": {
        "colab_type": "text",
        "id": "L7w69_-ADy7J"
      },
      "source": [
        "To specify path type, just use one of the client properties: `client.os` (the same as just using `client`), `client.tsk`, `client.registry`."
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "cY4dHk3pDy7J",
        "outputId": "c5c8da58-db51-462c-d580-bc27feafe7f0"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo\n",
              "    📂 bar (drwxr-xr-x /tmp/foo/bar, 4.0 KiB)\n",
              "    📂 baz (drwxr-xr-x /tmp/foo/baz, 4.0 KiB)\n"
            ]
          },
          "execution_count": 147,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.os.ls('/tmp/foo')"
      ]
    },
    {
      "cell_type": "code",
      "execution_count": 0,
      "metadata": {
        "colab": {},
        "colab_type": "code",
        "id": "Lr70KD58Dy7K",
        "outputId": "7fbba4df-1cb2-4a01-e677-0059f50c9755"
      },
      "outputs": [
        {
          "data": {
            "text/plain": [
              "\n",
              "/tmp/foo\n",
              "    📂 bar (drwxr-xr-x /tmp/foo/bar, 4.0 KiB)\n",
              "    📂 baz (drwxr-xr-x /tmp/foo/baz, 4.0 KiB)\n"
            ]
          },
          "execution_count": 148,
          "metadata": {
            "tags": []
          },
          "output_type": "execute_result"
        }
      ],
      "source": [
        "client.os.cached.ls('/tmp/foo')"
      ]
    }
  ],
  "metadata": {
    "colab": {
      "collapsed_sections": [],
      "last_runtime": {
        "build_target": "",
        "kind": "local"
      },
      "name": "GRR Colab API.ipynb",
      "provenance": [],
      "version": "0.3.2"
    },
    "kernelspec": {
      "display_name": "Python 3",
      "language": "python",
      "name": "python3"
    },
    "language_info": {
      "codemirror_mode": {
        "name": "ipython",
        "version": 3
      },
      "file_extension": ".py",
      "mimetype": "text/x-python",
      "name": "python",
      "nbconvert_exporter": "python",
      "pygments_lexer": "ipython3",
      "version": "3.7.4"
    }
  },
  "nbformat": 4,
  "nbformat_minor": 0
}
